系统:Ubunutu 24.04
Docker版本:Docker version 26.1.3, build b72abbb
DockerDesktop版本:v4.30.0
初期问题参考文章地址:
www.cnblogs.com/happy68/p/1…
以下是原文:
- 安装docker desktop后启动无窗口
现象: 执行sudo apt install ./docker-desktop-4.29.0-amd64.deb成功安装docker desktop后,无论是在菜单里点击Docker Desktop图标还是执行systemctl --user start docker-desktop均没有窗口出现。
查看日志:在~/.docker/desktop/log/host/Docker Desktop.stderr.log 中有以下内容:
**
[2024-04-27T06:39:49.728616797Z] [22344:0427/143949.728566:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/docker-desktop/chrome-sandbox is owned by root and has mode 4755.
解决方法:执行
**
sudo chown root:root /opt/docker-desktop/chrome-sandbox
sudo chmod 4755 /opt/docker-desktop/chrome-sandbox
然后执行 systemctl --user restart docker-desktop,窗口出现,问题解决。
- 启动出现 "An unexpected error occurred"或一直显示"Starting the Docker Engine..."
报错内容:
**
running engine: waiting for the VM setup to be ready: running filesharing: running virtiofsd for /home: Error entering sandbox:
DropSupplementalGroups(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })
执行sudo dmesg出现以下等内容
**
[ 2329.792894] audit: type=1400 audit(1714467432.031:190): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=10057 comm="virtiofsd" capability=6 capname="setgid"
解决方法:
注意:此方法可能会产生问题,确认可以解决但是重启后还是老样子,并且可能会带来未知风险
echo "==> Disabling Apparmor unprivileged userns mediation"
echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns
echo "==> Disabling Apparmor unprivileged unconfined mediation"
echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined
较好的解决方法-目前:
我这里主要解决的是第二个问题:
**
. 启动出现 "An unexpected error occurred"或一直显示"Starting the Docker Engine..."
报错内容:
running engine: waiting for the VM setup to be ready: running filesharing: running virtiofsd for /home: Error entering sandbox:
DropSupplementalGroups(Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" })
这个问题是因为上是docker-desktop 获取的权限超出了
unprivileged_userns 规定的权限。
原因是 ubuntu24.04中的 /etc/apparmor.d 目录中没有默认配置对应的文件权限导致的。
**
# Special profile transitioned to by unconfined when creating an unprivileged
# user namespace.
#
abi <abi/4.0>,
include <tunables/global>
profile unprivileged_userns {
audit deny capability,
-----------------这一条出现的问题-----------------
audit deny change_profile,
}
使用命令:
sudo dmesg #使用命令可以看到下面的内容,差别不会很大。
[ 4399.656681] audit: type=1400 audit(1717525854.237:1154): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=35535 comm=446F636B6572204465736B746F70 capability=21 capname="sys_admin"
解决方法:
在 /etc/apparmor.d 目录中创建文件,我这里用的是 docker-desktop
下面是文件内容
**
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
#后面的地址按照自己的 docker-desktop的实际目录填写
profile docker-desktop /opt/docker-desktop/bin/* flags=(unconfined) {
userns,
capability,
capability chown,
capability dac_override,
capability setuid,
capability setgid,
capability net_bind_service,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/docker-desktop>
}
写入完成后重启 apparmor
**
sudo systemctl restart apparmor
#重启docker-desktop
systemctl --user restart docker-desktop
至此问题可解决。
